-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-96:20					    Security Advisory
						        	FreeBSD, Inc.

Topic:		unauthorized access via buffer overruns
		cron, crontab, ppp

Category:	core
Module:		cron, crontab, ppp
Announced:	1996-12-16
Affects:	1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1
Corrected:	2.2-current as of various dates (see below)
		2.1-stable  as of various dates (see below)
FreeBSD only:	yes

Patches:	ftp://freebsd.org/pub/CERT/patches/SA-96:20/

=============================================================================

I.   Background    

     Buffer overrun (aka stack overflow) exploits in system
     supplied and locally installed utilities are commonly
     used by individuals wishing to obtain unauthorized access to
     computer systems.  The FreeBSD team has been reviewing and
     fixing the source code pool to eliminate potential exploits
     based on this technique.  We've found several such exploits
     (and more have been reported by other sources) and strongly
     suggest that all operators of FreeBSD machines upgrade to
     the latest version of FreeBSD (2.1.6.1 at the time of this
     advisory) if there is a possibility for untrustworthy users
     to have standard user level access to the system.

     Most of these problems were fixed with the release of
     FreeBSD 2.1.6.1, however the following were not:

     In August of 1996, exploits were discovered in the
     cron and crontab utilities in FreeBSD.  These were fixed
     in the -current source code pool in August of 1996, but
     due to a clerical error, were not repaired in the older
     -stable source code pool used to generate the FreeBSD
     2.1.X distributions until 16-Dec-1996.
     Recently, yet another buffer overrun was discovered
     in the cron and crontab utilities in FreeBSD. The problem
     was corrected on 16-Dec-1996 in both -current and -stable.

     Also recently, a similar overrun has been discovered in the
     ppp utility.  This was fixed in both -current and
     -stable source code pools on 16-Dec-1996.


II.  Problem Description

     The programs in question store user-supplied information
     in internal buffers.  There is no range checking on length
     of the data copied into these buffers.  A malicious user
     may be able to overflow these buffers through the use of
     command line options or via enviornment variables and
     insert and execute their own code fragment which could
     be used to obtain unauthorized access to the system


III. Impact

     The programs in question may be subverted to allow an
     unprivileged user to gain root access to the system.

     These vulnerability can only be exploited by individuals
     with access to the local system.


IV. Workaround

     Setuid programs invoked by the user may have their setuid
     permissions removed, or their protection attributes modified
     so unprivileged users may not operate them at all.
     This may reduce or eliminate some functionality provided by
     these programs to normal users.

     To remove setuid privileges:

     crontab:		# chmod ug-s /usr/bin/crontab
     ppp:		# chmod ug-s /usr/bin/ppp

     The cron program is started by the system on every boot.
     This auto-start may be temporarily disabled, and the running
     cron program stopped.  However, cron is a valuable system
     utility,  so we suggest this as a temporary workaround only.

     To stop cron from executing on system boot, edit the /etc/rc
     file and change the line:
		echo -n ' cron'; cron
     so it reads:
		# echo -n ' cron'; cron.

     To turn off a running cron, use the ps program to determine
     the PID of the currently running cron (use "ps") and type:

		# kill <pid of running cron>

V. Solution

     The following patches fixes the vulnerabilities.  It should
     apply cleanly to all FreeBSD 2.1.x systems.  It has not been
     tested with FreeBSD 1.x.

     After applying these patches, recompile and re-install the
     affected utilities.


    *** usr.sbin/cron/cron/database.c	1994/08/27 13:43:03	1.1.1.1
    --- usr.sbin/cron/cron/database.c	1996/09/10 03:38:20	1.3
    ***************
    *** 112,119 ****
      		if (dp->d_name[0] == '.')
      			continue;
      
    ! 		(void) strcpy(fname, dp->d_name);
    ! 		sprintf(tabname, CRON_TAB(fname));
      
      		process_crontab(fname, fname, tabname,
      				&statbuf, &new_db, old_db);
    --- 112,119 ----
      		if (dp->d_name[0] == '.')
      			continue;
      
    ! 		(void)snprintf(fname, sizeof fname, "%s", dp->d_name);
    ! 		(void)snprintf(tabname, sizeof tabname, CRON_TAB(fname));
      
      		process_crontab(fname, fname, tabname,
      				&statbuf, &new_db, old_db);
    
    *** usr.sbin/cron/crontab/crontab.c	1996/04/09 21:23:11	1.3.4.1
    --- usr.sbin/cron/crontab/crontab.c	1996/08/05 00:50:02	1.6
    ***************
    *** 167,173 ****
      					ProgramName, optarg);
      				exit(ERROR_EXIT);
      			}
    ! 			(void) strcpy(User, optarg);
      			break;
      		case 'l':
      			if (Option != opt_unknown)
    --- 165,171 ----
      					ProgramName, optarg);
      				exit(ERROR_EXIT);
      			}
    ! 			(void) snprintf(User, sizeof(user), "%s", optarg);
      			break;
      		case 'l':
      			if (Option != opt_unknown)
    ***************
    *** 198,204 ****
      	} else {
      		if (argv[optind] != NULL) {
      			Option = opt_replace;
    ! 			(void) strcpy (Filename, argv[optind]);
      		} else {
      			usage("file name must be specified for replace");
      		}
    --- 196,203 ----
      	} else {
      		if (argv[optind] != NULL) {
      			Option = opt_replace;
    ! 			(void) snprintf(Filename, sizeof(Filename), "%s",
    ! 					argv[optind]);
      		} else {
      			usage("file name must be specified for replace");
      		}
    ***************
    *** 480,486 ****
      			ProgramName, Filename);
      		goto done;
      	default:
    ! 		fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n");
      		goto fatal;
      	}
       remove:
    --- 479,486 ----
      			ProgramName, Filename);
      		goto done;
      	default:
    ! 		fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n",
    ! 			ProgramName);
      		goto fatal;
      	}
       remove:
    
    --- usr.sbin/cron/lib/env.c	1994/08/27 13:43:02	1.1.1.1
    +++ usr.sbin/cron/lib/env.c	1996/12/16 18:11:57
    @@ -115,7 +115,7 @@
     {
     	long	filepos;
     	int	fileline;
    -	char	name[MAX_TEMPSTR], val[MAX_ENVSTR];
    +	char	name[MAX_ENVSTR], val[MAX_ENVSTR];
     	int	fields;
     
     	filepos = ftell(f);
    
    
    --- usr.sbin/ppp/chat.c	1996/06/10 09:41:45	1.4.4.2
    +++ usr.sbin/ppp/chat.c	1996/12/15 20:40:26
    @@ -315,7 +315,7 @@
         }
         cp--;
       }
    -  sprintf(tmp, "%s %s", command, cp);
    +  snprintf(tmp, sizeof tmp, "%s %s", command, cp);
       (void) MakeArgs(tmp, &vector);
     
       pipe(fids);
    
    --- usr.sbin/ppp/systems.c	1995/05/30 03:50:58	1.5
    +++ usr.sbin/ppp/systems.c	1996/12/15 20:40:26
    @@ -75,12 +75,12 @@
       cp = getenv("HOME");
       if (cp) {
         SetUserId();
    -    sprintf(line, "%s/.%s", cp, file);
    +    snprintf(line, sizeof line, "%s/.%s", cp, file);
         fp = fopen(line, "r");
       }
       if (fp == NULL) {
         SetPppId();
    -    sprintf(line, "%s/%s",_PATH_PPP, file);
    +    snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file);
         fp = fopen(line, "r");
       }
       if (fp == NULL) {
    @@ -115,12 +115,12 @@
       cp = getenv("HOME");
       if (cp) {
         SetUserId();
    -    sprintf(line, "%s/.%s", cp, file);
    +    snprintf(line, sizeof line, "%s/.%s", cp, file);
         fp = fopen(line, "r");
       }
       if (fp == NULL) {
         SetPppId();		/* fix from pdp@ark.jr3uom.iijnet.or.jp */
    -    sprintf(line, "%s/%s",_PATH_PPP, file);
    +    snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file);
         fp = fopen(line, "r");
       }
       if (fp == NULL) {

=============================================================================
FreeBSD, Inc.

Web Site:			http://www.freebsd.org/
Confidential contacts:		security-officer@freebsd.org
PGP Key:			ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications:		security-notifications@freebsd.org
Security public discussion:	security@freebsd.org

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMrb4FlUuHi5z0oilAQGCjQP/TcKygSf3CLwfJcPSnsQnc0k5fkF3QZvk
Lp4K7FTua7M0AHHMn4gjpZEqB0+eqxMEGuZ+VXISSoESWyaOSz+hVLmLU2UZDLO0
WWZWw3MM3UeWAzLLXwRPTLN0tQlpQJyqPNH1okb4c/Lx9IugN1wcGfbiTnOF3NaC
d8lhtqcQoi4=
=zAKC
-----END PGP SIGNATURE-----
